deployment guide fortinet fortigate and nozomi networks ... · deployment guide | fortinet...
TRANSCRIPT
Fortinet FortiGate and Nozomi Networks Guardian
DEPLOYMENT GUIDE
2
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Fortinet FortiGate and Nozomi Networks GuardianOverview 3
Deployment Prerequisites 3
Version Compatibility 3
Licensing 3
Deployment 3
Architecture Overview 3
FortiGate Configuration 4
Interfaces 4
Protocol Service 7
Policy 7
Create User for Nozomi Networkrsquos Guardian 8
Nozomi Networks Configuration 9
Enable FortiGate + Nozomi Networks Configuration 9
Preparing the Integration for Testing and Deployment 10
Placing Guardian in Learning Mode 10
Placing the System in Protecting Mode 11
Testing the Integration and Deployment 11
References 11
3
OverviewFortinet (NASDAQ FTNT) secures the largest enterprise service provider and government organizations around the world Fortinet empowers its customers with intelligent seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future Only the Fortinet Security Fabric architecture can deliver security features without compromise to address the most critical security challenges whether in networked application cloud or mobile environments Fortinet ranks 1 in the most security appliances shipped worldwide and more than 400000 customers trust Fortinet to protect their businesses Learn more at httpswwwfortinetcom the Fortinet Blog or FortiGuard Labs
About Nozomi
Nozomi Networks is a leading provider of real-time visibility advanced monitoring capabilities and strong security for industrial control networks supporting critical infrastructure Built by a team of industrial control systems (ICS) and network security expertise Nozomi Networksrsquo Guardian appliances and software inspect industrial networks non-intrusively and apply machine-learning (ML) with Artificial Intelligence (AI) technology to provide unique insight into the topology devices and behaviors present in it
Deployment Prerequisites
1 FortiGate
2 FortiSwitch
3 Nozomi Networksrsquo Guardians
4 An ICS environment with IT and OT networks
Industrial control systems have strict and unique environments that require security to be the top priority In this document we will look at the integration of Fortinetrsquos FortiGate to Nozomi Networksrsquo Guardian appliance to bring the power of the Security Fabric to the industrial control systems
Version Compatibility
This Deployment and Integration Guide applies to FortiGates with FortiOS v54 and 56 and with Nozomi Networksrsquo Guardian v1700 This guide will assume the integration with FortiOS 56
Licensing
For licenses to the Nozomi Networksrsquo Guardian please contact Nozomi Networks respective sales team httpwww nozominetworkscomcompanycontact-ushtml
Deployment
Architecture Overview
This is an example of what a supervisory control and data acquisition (SCADA) network may look like where the FortiGate and the Guardian are located as a point of convergence between the IT and the OT networks (andor the process and OT networks)
4
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
The FortiGate sits in-line between the IT and the OT networks and within the local environments of each OT network themselvesmdashactively controlling traffic between the IT network and the OT network The Nozomi Networksrsquo Guardian is connected in SPANport mirroring mode behind the respective switches having visibility of network traffic of both networks
For the purpose of this Integration Guide we will focus on a single segment
The communication between the FortiGate and the Guardian occurs over the Security Fabric via the management network
FortiGate Configuration
On the FortiGate there are three basic requirements for the FortiGate to be in-line between the IT network and the OT network and to be integrated with the Guardian There are three interfaces to be configured one service and one policy
Interfaces
5
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 IT Network A port on the FortiGate is required to be configured for the IT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the IT network
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
2
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Fortinet FortiGate and Nozomi Networks GuardianOverview 3
Deployment Prerequisites 3
Version Compatibility 3
Licensing 3
Deployment 3
Architecture Overview 3
FortiGate Configuration 4
Interfaces 4
Protocol Service 7
Policy 7
Create User for Nozomi Networkrsquos Guardian 8
Nozomi Networks Configuration 9
Enable FortiGate + Nozomi Networks Configuration 9
Preparing the Integration for Testing and Deployment 10
Placing Guardian in Learning Mode 10
Placing the System in Protecting Mode 11
Testing the Integration and Deployment 11
References 11
3
OverviewFortinet (NASDAQ FTNT) secures the largest enterprise service provider and government organizations around the world Fortinet empowers its customers with intelligent seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future Only the Fortinet Security Fabric architecture can deliver security features without compromise to address the most critical security challenges whether in networked application cloud or mobile environments Fortinet ranks 1 in the most security appliances shipped worldwide and more than 400000 customers trust Fortinet to protect their businesses Learn more at httpswwwfortinetcom the Fortinet Blog or FortiGuard Labs
About Nozomi
Nozomi Networks is a leading provider of real-time visibility advanced monitoring capabilities and strong security for industrial control networks supporting critical infrastructure Built by a team of industrial control systems (ICS) and network security expertise Nozomi Networksrsquo Guardian appliances and software inspect industrial networks non-intrusively and apply machine-learning (ML) with Artificial Intelligence (AI) technology to provide unique insight into the topology devices and behaviors present in it
Deployment Prerequisites
1 FortiGate
2 FortiSwitch
3 Nozomi Networksrsquo Guardians
4 An ICS environment with IT and OT networks
Industrial control systems have strict and unique environments that require security to be the top priority In this document we will look at the integration of Fortinetrsquos FortiGate to Nozomi Networksrsquo Guardian appliance to bring the power of the Security Fabric to the industrial control systems
Version Compatibility
This Deployment and Integration Guide applies to FortiGates with FortiOS v54 and 56 and with Nozomi Networksrsquo Guardian v1700 This guide will assume the integration with FortiOS 56
Licensing
For licenses to the Nozomi Networksrsquo Guardian please contact Nozomi Networks respective sales team httpwww nozominetworkscomcompanycontact-ushtml
Deployment
Architecture Overview
This is an example of what a supervisory control and data acquisition (SCADA) network may look like where the FortiGate and the Guardian are located as a point of convergence between the IT and the OT networks (andor the process and OT networks)
4
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
The FortiGate sits in-line between the IT and the OT networks and within the local environments of each OT network themselvesmdashactively controlling traffic between the IT network and the OT network The Nozomi Networksrsquo Guardian is connected in SPANport mirroring mode behind the respective switches having visibility of network traffic of both networks
For the purpose of this Integration Guide we will focus on a single segment
The communication between the FortiGate and the Guardian occurs over the Security Fabric via the management network
FortiGate Configuration
On the FortiGate there are three basic requirements for the FortiGate to be in-line between the IT network and the OT network and to be integrated with the Guardian There are three interfaces to be configured one service and one policy
Interfaces
5
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 IT Network A port on the FortiGate is required to be configured for the IT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the IT network
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
3
OverviewFortinet (NASDAQ FTNT) secures the largest enterprise service provider and government organizations around the world Fortinet empowers its customers with intelligent seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future Only the Fortinet Security Fabric architecture can deliver security features without compromise to address the most critical security challenges whether in networked application cloud or mobile environments Fortinet ranks 1 in the most security appliances shipped worldwide and more than 400000 customers trust Fortinet to protect their businesses Learn more at httpswwwfortinetcom the Fortinet Blog or FortiGuard Labs
About Nozomi
Nozomi Networks is a leading provider of real-time visibility advanced monitoring capabilities and strong security for industrial control networks supporting critical infrastructure Built by a team of industrial control systems (ICS) and network security expertise Nozomi Networksrsquo Guardian appliances and software inspect industrial networks non-intrusively and apply machine-learning (ML) with Artificial Intelligence (AI) technology to provide unique insight into the topology devices and behaviors present in it
Deployment Prerequisites
1 FortiGate
2 FortiSwitch
3 Nozomi Networksrsquo Guardians
4 An ICS environment with IT and OT networks
Industrial control systems have strict and unique environments that require security to be the top priority In this document we will look at the integration of Fortinetrsquos FortiGate to Nozomi Networksrsquo Guardian appliance to bring the power of the Security Fabric to the industrial control systems
Version Compatibility
This Deployment and Integration Guide applies to FortiGates with FortiOS v54 and 56 and with Nozomi Networksrsquo Guardian v1700 This guide will assume the integration with FortiOS 56
Licensing
For licenses to the Nozomi Networksrsquo Guardian please contact Nozomi Networks respective sales team httpwww nozominetworkscomcompanycontact-ushtml
Deployment
Architecture Overview
This is an example of what a supervisory control and data acquisition (SCADA) network may look like where the FortiGate and the Guardian are located as a point of convergence between the IT and the OT networks (andor the process and OT networks)
4
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
The FortiGate sits in-line between the IT and the OT networks and within the local environments of each OT network themselvesmdashactively controlling traffic between the IT network and the OT network The Nozomi Networksrsquo Guardian is connected in SPANport mirroring mode behind the respective switches having visibility of network traffic of both networks
For the purpose of this Integration Guide we will focus on a single segment
The communication between the FortiGate and the Guardian occurs over the Security Fabric via the management network
FortiGate Configuration
On the FortiGate there are three basic requirements for the FortiGate to be in-line between the IT network and the OT network and to be integrated with the Guardian There are three interfaces to be configured one service and one policy
Interfaces
5
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 IT Network A port on the FortiGate is required to be configured for the IT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the IT network
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
4
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
The FortiGate sits in-line between the IT and the OT networks and within the local environments of each OT network themselvesmdashactively controlling traffic between the IT network and the OT network The Nozomi Networksrsquo Guardian is connected in SPANport mirroring mode behind the respective switches having visibility of network traffic of both networks
For the purpose of this Integration Guide we will focus on a single segment
The communication between the FortiGate and the Guardian occurs over the Security Fabric via the management network
FortiGate Configuration
On the FortiGate there are three basic requirements for the FortiGate to be in-line between the IT network and the OT network and to be integrated with the Guardian There are three interfaces to be configured one service and one policy
Interfaces
5
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 IT Network A port on the FortiGate is required to be configured for the IT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the IT network
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
5
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 IT Network A port on the FortiGate is required to be configured for the IT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the IT network
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
6
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
2 OT Network Similarly a port on the FortiGate is required to be configured for the OT network on a dedicated subnet Ensure that no Administrative Access options are enabled for this port ICS environments require tightly secured networks As such the least possible administrative access to the interface is recommended
Also ensure that the ldquoActive Scanningrdquo option is disabled as this creates unnecessary noise on the network which may impede the integration with the Guardian
This port will act as the gateway of the OT network
3 Management Network A management network needs to be created on which the FortiGate will communicate with the Guardian and from which it can be managed
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
7
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Protocol Service
Create services for your environmentrsquos required protocols
Typically these are SCADA-oriented protocols such as MODBUS DNP3 Profibus FIP etc In this example we are creating a service for the MODBUS protocol
Name this service ldquoModbusrdquo and select Protocol Type as TCPUDPSCTP and Destination Port as ldquoTCPrdquo and port 502 Click OK
Policy
Creation of one policy is required for traffic coming in from the IT network to the OT network allowing only the protocol services created from the previous step Ensure that NAT is disabled and for the purpose of analysis of incidents enable all logging
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
8
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Please follow the screenshot for the settings for the policy
Create User for Nozomi Networksrsquo Guardian
Create a new user for the Nozomi Networksrsquo Guardian to access the FortiGate for the integration
Go to System gt Administrators and click on ldquoCreate Newrdquo Enter the details for the user account and enter the details as shown in the screenshot below
1 Enter the User Name Password and Comments
2 Select the Type of the user to be ldquoLocal Userrdquo
3 Set Administrator Profile to ldquosuper_adminrdquo
4 Enable Restrict login to trusted hosts and put in the IP of the Nozomi Networksrsquo Guardian
5 Click OK
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
9
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Nozomi Networks Configuration
The configuration on the Guardian requires connectivity to the management interface and all the security integration options enabled Ensure that the management interface of the Nozomi Networksrsquo Guardian can reach using protocol ssh on port 22 the management
Ensure that the Guardian is connected to a switch for the IT network and the OT network in SPANmirrored ports This gives the Guardian visibility of the SCADA traffic between the networks
Enable FortiGate + Nozomi Networks Configuration
1 Under Settings gt Firewall Integration choose ldquoFortinet FortiGaterdquo
2 Insert the IP address of the management interface of the FortiGate and the user with the password created on the FortiGate forthe integration
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
10
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
Preparing the Integration for Testing and Deployment
The Nozomi Networksrsquo Guardian works on the basis of behavioral analysis and machine learning When a Guardian is placed in a new environment the appliance has to be put in the ldquoLearningrdquo state prior to live production deployment for a designated amount of time prior to enabling Protecting mode Placing Guardian in Learning Mode
To ensure that the Guardian is in Learning mode all prior data must first be reset to a clean state
1 Log in to the Guardian
2 Go to System -gt Data
3 Clear all settings by clicking on ldquoSelect allrdquo
4 Click on ldquoResetrdquo and enter your password
This will ensure that the appliance is started from a clean state with no prior learning
To ensure that the system is in Learning mode
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom
Copyright copy 2019 Fortinet Inc All rights reserved Fortinetreg FortiGatereg FortiCarereg and FortiGuardreg and certain other marks are registered trademarks of Fortinet Inc and other Fortinet names herein may also be registered andor common law trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance and other metrics contained herein were attained in internal lab tests under ideal conditions and actual performance and other results may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinetrsquos General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinetrsquos internal lab tests Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Fortinet disclaims in full any covenants representations and guarantees pursuant hereto whether express or implied Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable
wwwfortinetcom
November 20 2019 142 PM
CUserscyanDocumentsAEM2019-11-20DG-Fortinet and Nozomi GuardianDG-Fortinet and Nozomi Guardiandg-fortinet-nozomi-guardian440596-0-0-EN
DEPLOYMENT GUIDE | Fortinet FortiGate and Nozomi Networks Guardian
1 Log in to the Guardian
2 Ensure that both the Network and Process sections have ldquoLearningrdquo selected Here you will be able to see the amount of time since the system has been in Learning mode
Placing the System in Protecting Mode
Once the Guardian has been in Learning mode for an appropriate amount of time it can now be put into ldquoProtectingrdquo mode to begin actively monitoring the ICS environment
To put the system into Protecting mode
1 Click on ldquoSettingsrdquo and go to ldquoLearningrdquo
2 Under the ldquoNetworkrdquo section click on ldquoProtectingrdquo
Testing the Integration and Deployment
Before testing the integration you should ensure that the Guardianrsquos baseline and the learning phase is completed
To test the Integration please refer to the Nozomi Networks Integration Video to replicate the scenarios
References
1 FortiGateFortiOS Admin Guides httpdocsfortinetcomfortigateadmin-guides
2 Nozomi Networks Guardian Data Sheet httpwwwnozominetworkscomdownloadsUSNozomi-Networks-SG-Data-Sheetpdf
3 Nozomi Networks Guardian Resources httpwwwnozominetworkscomresourceshtml
4 Fortinet User Community httpsfusefortinetcom
5 Nozomi Networks httpwwwnozominetworkscom